Posted
by
kdawson
on Tuesday January 19, 2010 @04:26PM
from the advanced-persistent-threat dept.

Grotendo writes "Microsoft plans to release an emergency patch for Internet Explorer very soon to counter targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser. The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend." Microsoft has downplayed the seriousness of the IE zero-day, and insisted that it affects only IE6 even as security researchers close in on exploits for IE7 and IE8. Microsoft has had no comment about the firestorm that Google unleashed by directly accusing the Chinese of cyber espionage. ShadowServer has up a sobering post on the massive extent of the problem of "groups that can be referred to as the Advanced Persistent Threat."

I'm uploading the IE6 No More [ie6nomore.com] code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

That wouldn't be very defiant now, would it? Maybe it is YOU who needs spelling lessons. "Defiantly" is a word, and is spelled correctly. And (completely unintentionally most likely)the meaning actually works in this case.

Serious question here: does the Chrome frame for IE6 protect users from this attack? It would be interesting to know, as MS stated that it increased the security exposure (which is true in theory, but generally false in practice from what I've seen, as all attack surfaces are not created equal.)

If you got more free CPU power than all super-computers combined, you would just throw that away?

I don’t think so... ^^

I’d go straight to cracking every important security code on the planet. Federal reserve, CIA, every intelligence agency of every important country, every military lab, every weapons remote control (especially for nukes). And then I’d start making one single demand. One that would be impossible to undo, and would change the world forever.Meet it or you’re done.

I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE.

Five.

It's missing Opera, which globally has more users than Chrome, for example, and wtfpwns both IE and Firefox combined market share in certain countries. In most European countries, Opera has more users than Safari and Chrome.

While the concept is neat, the choices aren't, and they are both offensive and ignorant.

Google *themselves* claim 40 million Chrome users. Opera Mini alone has more users than Chrome, not to mention the desktop version. And yet Chrome is represented by having ten times Opera Mini's market share according to those stats sites. Right...

Opera is massive in Eastern Europe [wikipedia.org]. On Russian, Ukrainian, and Polish sites it makes sense to push Opera. But does it make sense to push Opera to English users, based on Opera usage on mobile devices, when most visitors to the site are using a desktop browser? A study done by a Mozilla employee [wordpress.com] shows users are more willing to switch to Chrome or Firefox. Few users of non-Opera browsers are willing to switch to Opera.

Oh, an Opera website says it's widely used on in the former Yugoslavia!

Tell you what: Find some market share data not on an Opera website and we can talk.

What's really funny is, if you click on the first link in the story on the Opera website, do you know what it links to? (wait for it...)

That's right, the first link in the Opera article about how they have more users than Chrome links to the market share data that I sited above, which shows Chrome at more than twice Opera's market share.

Considering how many single purpose devices I work on that still use IBM/MS DOS 3.3 I suspect IE6 will be dominant until corporations are forced to migrate to Win7/8. Big companies are spending their money on things that make them MORE money. Upgrading to IE 7/8 is NOT free and since IE6 "works" in the eyes of the boss there is no "need" to upgrade. I'm not aware of an enterprise deployment feature for FireFox or Chrome. I believe Opera may have one but I don't think it is free. Since XP and IE6 for the maj

That's a very good point. And all corporations will tell you that the only surfing you should be doing should be work related, so if you follow that rule, your chances of getting owned even on IE6 are pretty low.

Now I'm posting to slashdot during work hours, and I'm not even an IT guy, so you can see how followed that policy is. At least I'm on firefox.

I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

I'm sure corporate users who have IE6 forced upon them will appreciate it if they try to view your site.

I'm sure your response would be "well they can bring it up with their IT depar

That is no longer a valid excuse. The cost of upgrading to apps that support a recent version of IE should be significantly less then the cost of cleaning up after IE6.

Of course their not going to do it until it bites them in the ass over and over, which is why I am happy every time I see an IE6 user get exploited. I've spent the last year of my life re-writing applications to be browser neutral for my job, so at least some companies are getting it.

I've asked our local IT guy (contractor) if the company had any plans to upgrade from IE 6 and he said no. Our HQ is on the left coast and that's where the ISD dept. resides. There are probably a couple applications that won't work properly with any other browser and that's keeping us with 6. Around the country we probably have a couple thousand work stations.

I know several companies and some university departments. IE6 intranet applications are the dumbest thing in the world, but the "If it ain't broke don't fix it" mantra doesn't consider security when gauging levels of "broke", only whether the intended purpose still works, and that's a business decision, not Infosec/IT decision.

Yup, my company has had to spend some cash on developers to upgrade various web apps that only work with IE6. We were warning them about this in 2007 but it took transitioning to Vista and IE7 to finally get them to cut loose with the $$$. Silly management.

We are looking to migrate to IE8 in the next 3 months actually. We are currently on IE7. All of our applications work in any browser now. The only main issue is testing that the IE8 push won't break any workstations.

If Google started saying "You can't search until you upgrade!" they'd get the clue rather quickly. Google has reason to kill off IE6... it was the weapon used to attack them in China. Your IT desk likely uses Google multiple times a day... so a Google outage would get attention rather quickly.

Why, you ask, is an Electrical Engineer -- one who reads/., has acted as a sys admin for two start-ups, uses Linux at home (and Puppy for the kids, that's right, my 6-year-old uses Linux) and has over 25 years of programming and networking experience)-- using IE6, a browser that MS itself has said, "oh god, please ditch it"?

Because I'm at work and some of the legacy applications here require it.

Using IE6 for that app, other browser for all the rest. Unless you're prohibited from running another browser; then having sites lock IE6 off can accelerate the transition, so they're helping you in the long run.

Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.

Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.

Maybe not, but when you work at a hospital in the IT department and your patient critical applications are still relying on IE6 because the vendor who wrote it sucks and can't figure out how to make it work with an updated browser, you appreciate that Microsoft, however insistant they are on dropping that old clunker of an app, is at least trying to resolve it.

While your point is made and understood, there are actually a few studies showing that both leeches and trepanning (or a modern day equivalent) have some valid therapeutic uses. No, I'm not going to bother with a cite as they're from some medical journals (dead tree, father is a traditionalist) which are at home.

Because some companies have contracts with MS that have them on Win2k until (if I recall correctly) until the extended support is over which is this summer so MS can't really tell IE6 users to fuck off completely.

I'm sure they could get out of the contract at an unnecessary cost. MS made this mess and unfortunately we're stuck with it for awhile longer. Hopefully once the extended support is over then companies will start dumping their old stuff and upgrading.

True IE 6 hasn't but if you read the microsoft bulletin it also says that IE 7 and 8 share the vulnerability.
http://www.microsoft.com/technet/security/advisory/979352.mspx [microsoft.com]
"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows S

All I know is that three certain windows updates have been drilled into my Vista boot process for ever. Did someone really intentionally program an update process so that if it failed it would just try again?

Yes, there is. If you have a capped internet connection, downloading 100MB of updates can be annoying, but you allow it. Then you return and find out it actually consumed 300MB and it still failed to install it.

Windows 7 is actually almost as fast as XP. That's really good accounting for the numerous improvements made to the OS in the intervening 9 years. Almost every new software release requires better hardware, including Gnome and KDE.

Err did you fail Reasoning 101? You forget all the new features, UI and security in Windows 7 compared to Windows XP which take up lots of resources. It's the same case with almost any other software, as hardware becomes more powerful, more features are added. If you want ultimate speed, go run Windows 95 or DOS 6.22 or Windows 3.1 on modern hardware, but dont' complain when USB ports don't work.

And how many on slashdot are stuck with XP SP1 because SP2 causes too many problems? Of course, this means they're stuck with IE6 I believe (as opposed to upgrading to IE7 and IE8).

But, I think the key lesson is here... why don't we have ActiveX controls and Active Scripting disabled by default? IE is so popular, it is targetted. When FireFox takes IE's place as leading web browser of the world, what do you think will happen? (Maybe not to the same extent as IE.)

Has been stated and rebutted literally millions of times, the problem with M$ crap is not that it is popular, it is that it is criminally defectively by design, and because of Backward Compatibility, and secret api's shared only with valued customers they absolutely can never fix it. Anyone tells you about OS secrets is selling snake oil.1. There are 3,500 Windoze api calls, POSIX < 200, Linux ~ 250, new functionality over 10 years,

2. Windoze will execute any crap base on ".ext" so it will just execute "

You clearly haven't used IE in years, or you are just trolling. IE8 handles tabs much better than Chrome or Firefox, and unlike firefox IE is sandboxed (this exploit doesn't affect ie8 in win7), to get similar functionality in firefox you have to install noscript and individually handle every single new website you go to. The problem with IE isn't its compliance to standards or acid tests (no one cares except web developers) it is that its snail slow. The UI is atrocious but firefox really isn't any better

And you, dear nightspirit, didn't read TFA [computerworld.com] did you? Here, let me highlight a relevant passage for you..."While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."

TL:DR? IE8 is totally pwned as well. They just haven't released the script into the wild yet. When they do any script kiddie can pwn ANY MSFT browser, from

Wow, big surprise, security company creates an exploit for money. That doesn't change the fact that the current 0 day doesn't affect IE8 on windows 7. Exploits are found and patched all the time in firefox, safari, and chrome. Hell in the Pwn2Own contests safari is always first to be cracked, Chrome currently has an unpatched critical vulnerability (secunia), and firefox actually has been doing quite well but still really requires noscript to be safe which cripples browsing the internet.

And what's going to happen to all those "IE only" web sites the government, public schools and other agencies like to use?

They'll still exist, but the error page might get changed to:
"This page is IE only. Type '?browser=firefox' at the end of the URL to be automatically moved to the non-IE page. Safari users type '?browser=firefox' too. There are no other browsers *Jedi hand wave*."

At least two governments officially stating to avoid IE, others in fear, every single web developer on the country hating you, Google getting hacked, and every security expert on the planet laughing at you?

Wow. Just wow.

May I extrapolate from that, what it would take, to get a real Bugzilla for IE and make it follow recent standards?My guess: Inter-dimensional time war with Lovecraft’s the old ones, lead by Cthulhu, fighting the Shrike and its army, armed with gamma ray bursts and black holes, using giant stars as ammunition.

They look totally different to the popup-style messages on compromised websites saying "Your Anti Virus is out of date! Download our version!" or "You have been infected by Win32.BullRubbish.exe.foobar! Upgrade to New Anticrap UberVirusWare 2011!"

You're training them to download stuff from the web, from sites they don't regularly visit / don't trust, because a popup told them to.